An IT expert filed a whistleblower suit against Autonomy Capital, claiming the investment management firm fired him after he warned the firm — and the Securities and Exchange Commission — about significant defects in its cybersecurity systems.
In the suit, filed Tuesday in U.S. District Court for the Southern District of New York, Nicholas Moniodes claimed that soon after joining Autonomy in 2014, he realized that the company had “massive holes in its cybersecurity systems, violating both” the SEC’s rules and industry best practices.
Also named in the suit as defendants were Autonomy’s two top executives: Robert Gibbins, its partner, founder and chief investment officer; and Ivan Ritossa, its CEO.
Autonomy Capital, based in Jersey in the Channel Islands, has about $8 billion in assets under management in pooled investment vehicles, largely for clients outside the U.S., according to its most recent Form ADV.
In a statement provided to ThinkAdvisor on Wednesday, Autonomy said only: “These are baseless allegations and the firm will defend itself vigorously.”
Moniodes, who previously worked for firms including Morgan Stanley as its Asia chief technology officer and Deutsche Bank as executive director and CTO-Americas, according to his LinkedIn page, claimed in the suit that he specifically “discovered that Autonomy did not have up-to-date Data Loss Protection (“DLP”) software in place to protect its investors’ Producer Price Index (“PPI”) data.”
He “further realized that the Company did not have sufficient Mobile Device Management (“MDM”) DLP protection,” according to the suit.
“The impact of these holes in Autonomy’s cybersecurity systems was potentially seismic and could leave the Company’s clients vulnerable to having their data hacked by third parties, as well as to mass deletion in the event of an unexpected technology event,” the suit alleged.
Moniodes “knew that he could not allow these troubling cybersecurity deficiencies to go unaddressed,” and so he “volunteered to the SEC that Autonomy did not have sufficient DLP software protections in place and that the Company was, therefore, in violation of applicable SEC rules,” according to the complaint. He also “led the internal charge to address these issues,” the suit said.
Moniodes raised the cybersecurity issues he had identified with Autonomy’s senior management, but the company “did not heed” his “warnings and failed to take the required steps to address its DLP deficiencies at that time,” the suit alleged.
“Subsequently, in mid-2019, during a telephone conference in the midst of an SEC audit into Autonomy’s cybersecurity capabilities, Mr. Moniodes proactively admitted to the SEC that the Company did not have sufficient MDM DLP in place,” according to the suit.
“Unfortunately, rather than thanking Mr. Moniodes for protecting the Company’s clients’ data and information, Autonomy retaliated against him for daring to inform the SEC about their cybersecurity issues, ultimately terminating his employment as a result,” according to the complaint.
Moniodes is looking to recover damages arising from Autonomy’s “unlawful retaliation against him for protected whistleblower activities in violation” of federal laws including Section 806 of the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, he alleged in the suit.
The plaintiff also planned to file a complaint with the Occupational Safety and Health Administration of the Labor Department, alleging Sarbanes-Oxley violations, according to the suit.